Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Ex

From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 10/04/04 

Date: Mon, 4 Oct 2004 11:02:04 -0600

Thanks for your response.

You indicate that Domain Controllers (may?) need NetBIOS for Active
Directory replication - do you know if there are any Microsoft documents
that address this "requirement" directly?

"Andrei Ungureanu" <AndreiUngureanu@discussions.microsoft.com> wrote in
message news:64B7F953-413E-4332-8B53-1D46C54CFAC3@microsoft.com...
> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling them
> (maybe only if you have some very old OS on your network). Regarding
> NETBIOS
> ... I think the domain controller need this functionality for the
> replication. Anyway, for fully disable NETBIOS and SMB check
> http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/a0604.mspx
> (as you can see it's not enough to check Disable Netbios over TCP/IP from
> Advanced TCP/IP settings).
>
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
>
>
>
> "Research Services" wrote:
>
>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>> (within our own child domain) without affecting Windows networking
>> communications adversely?
>> We are a child domain in a single forest, we are NOT Enterprise
>> Administrators. Our DCs and Exchange are currently configured to refuse
>> and
>> not send LM.
>> All clients are Windows XP with NetBIOS already disabled and only talk
>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our
>> child
>> domain.
>> We are not sure if this will affect AD replication, especially between
>> other
>> child domains in the forest not controlled by us - OR if Exchange 2003
>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>>
>> Thanks for any input or help.
>>
>>
>>
>>

Relevant Pages